The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

Washington State May Soon Regulate Personal Information Collection by Drones

Two Washington State bills are addressing the issue of government surveillance using drones, and the potential negative impact this could have on privacy.

The first bill, HB 1771, is a bi-partisan bill sponsored by Rep. David Taylor, R-Moxee, which was   introduced last year. It calls drones a “public unmanned aircraft system.”

HB 2789, is also sponsored by Rep. David Taylor. It calls drones “extraordinary sensing devices” and its Section 3(1) would have government use of drones “conducted in a transparent manner that is open to public scrutiny.”

Calling drones “devices” instead of “aircraft” has significance for a State famous for its aeronautic industry.  Indeed, while HB 1771 passed the House last week, HB 2789 stills lingers in Committee.

A Very Broad Definition of Personal Information

HB 2789 and HB 1771 both define what is “personal information” quite broadly, as it would not only encompass a social security or an I.D. number, but also “medical history, ancestry, religion, political ideology, or criminal or employment record.

Interestingly, it would also encompass information that can be “a basis for inferring personal characteristics” such as “the record of the person’s presence, registration, or membership in an organization or activity, or admission to an institution” or even, “things done by or to such person,” a definition that is so broad that it may encompass just about anything that ever happens to an individual. This definition recognizes that drone surveillance allows for a 24/7 surveillance society.

Personal information also means IP and trade secret information.

Illegal Collection of Data by Drones Must be “Minimized”

Under section 4 of HB 2789, disclosure of personal information acquired by a drone must be conducted in a way that minimizes unauthorized collection and disclosure of personal information. It reprises the words of Section 5 of HB 1771, only replacing ‘public unmanned aircraft by ‘extraordinary sensing device.’

I am not sure that I interpreted section 4 correctly, so here is the full text:

All operations of an extraordinary sensing device or disclosure of personal information about any person acquired through the operation of an extraordinary sensing device must be conducted in such a way as to minimize the collection and disclosure of personal information not authorized under this chapter.

So the standard it not complete avoidance of unauthorized collection of personal information, but instead minimization of illegal collection. The wording may reflect the understanding of the legislature that, because of the amazing volume of data that may potentially be collected by drones, including “things done by or to such person,” it would be unrealistic to set a standard of complete avoidance of data collection.

Maybe this ”minimizing” standard set by HB 1771 and HB 2789 is a glimpse of the standards for future data protection law…

Warrant Needed to Collect Personal Information by Drones

Under Section 5 of HB 2789, a drone could to collect personal information pursuant to a search warrant, which could not exceed a period of ten days.

The standard to obtain a warrant under Section5 (3)(c) of HB 2789 and Section 6 (2) (c ) of HB 1771would be “specific and articulable facts demonstrating probable cause to believe that there has been, is, or will be criminal activity

Under Section 5 (3)(d) of HB 2789, a petition for a search warrant would also have to include a statement that “other methods of data collection have been investigated and found to be either cost prohibitive or pose an unacceptable safety risk to a law enforcement officer or to the public. ”

So drones should be, at least for now, still considered an extraordinary method to be used in criminal investigations.  Such statement would not be necessary though under HB 1771.

Warrant could not exceed ten days under Section 5(5) of HB 2789, but could not exceed 48 hours under section 6(4)HB 1771, and thus HB 1771 would be much more protective for civil liberties. However, as we saw, it is unlikely that HB 1771 will ever be enacted into law.

Warrant Not Needed in Case of an Emergency

Both bills would authorize some warrantless use of drones.

However, under Section 7 of HB 2789 a warrant would not be needed if a law enforcement officer “reasonably determines that an emergency situation exists [involving] criminal activity and presents immediate danger of death or serious physical injury to any person,” and that the use of a drone is thus necessary.

Under Section 8 of HB 1771, it would only be necessary for the law enforcement officer to “reasonably determine that an emergency situation exists that involves immediate danger of death or serious physical injury to any person” which would require the use of drone, without requiring a pre-determination of criminal activity.

But even if an emergency situation does not involve criminal activity, section 8 of HB 2789 allows for the use of drones without a warrant if there is “immediate danger of death or serious physical injury to any person,” which would require the use of drones in order “to reduce the danger of death or serious physical injury.”

However, such use would only be authorized if it could be reasonably determined that such use of drones “does not intend to collect personal information and is unlikely to accidentally collect personal information,” and also that such use is not done “for purposes of regulatory enforcement.“

Both bills require that an application for a warrant be made within 48 hours after the warrantless use of a drone.

Fruits of the Poisonous Drone

Under section 10 of HB 2789 and section 10 of HB 1771, no personal information acquired illegally by a drone nor any evidence derived from it could be used as evidence in a court of law or by state authorities.

Handling Personal Information Lawfully Collected

Even if personal information has been lawfully collected by drones, such information may not be copied or disclosed for any other purpose than the one for which it has been collected, “unless there is probable cause that the personal information is evidence of criminal activity.”

If there is no such evidence, the information must be deleted within 30 days if the information was collected pursuant to a warrant and 10 days if was incidentally collected under section 11 of HB 2789, but would have to be deleted within 24 hours under section 11 of HB 1771.

Drone regulation is a new legal issue, but Washington  would not be the first State to regulate it. Many other States have introduced similar proposals, often not successfully however. But Florida, Idaho, Illinois, Montana, Oregon, Tennessee, Texas and Virginia have all enacted laws regulating the use of drones for surveillance purposes and North Carolina has enacted a two-year moratorium. It remains to be seen if and when federal legislation will be enacted.


1 Comment

Amicus Briefs filed asking Court to determine if warrentless searches of cell phone data are permissible under the Fourth Amendment

Two recent petitions for certiorari were filed regarding whether the Fourth Amendment permits police officers to search all or some digital contents of an arrestee’s cell phone incident to arrest.  Federal courts of appeal and state courts of last resort are divided on this issue.  On July 30, 2013, a petition for certiorari was filed asking the Supreme Court to review a California Court of Appeal, Fourth District case, Riley v. California.  On August 19, 2013 the U.S. Solicitor General submitted an amicus brief asking the Supreme Court to reverse the First Circuit Court of Appeal’s decision in U.S. v. Wurie.  These cases are noteworthy since they touch on arrestee’s rights to their cell phone data and since the Fourth Amendment is a bedrock for privacy law in the United States.

In U.S. v. Wurie, the police confiscated the arrestee’s Verizon LG flip-phone and retrieved the phone number of an incoming call labeled “my house.”  The police used that phone number to determine the arrestee’s residence and gather further evidence.  In Riley v. California, the police searched the arrestee’s smartphone, made an extenstive search of its digital contents, and were able to gather evidence linking the arrestee to more serious crimes.  In both instances, the police made the searches without a warrant pursuant to the search-incident-to-arrest exception to the Fourth Amendment that allows police officers to perform a class of searches that have been deemed potentially necessary to preserve destructible evidence or protect police officers. 

The question of whether the search of cell phone data could ever be justified under the search-incident-to-arrest exception has come up in federal and state courts in the past, some finding that warrantless cell phone data searches are categorically lawful, others upholding a limited search.  In Riley v. U.S., the California Court of Appeal held that because the cell phone was immediately associated with the arrestee’s person at the time of his arrest, the warrantless search was valid.  The First Circuit joined at least two other state courts of last resort in creating a bright-line rule rejecting all warrantless cell phone data searches and declined to create a rule based on particular instances.  In its amicus brief, the Solicitor General argued that even if cell phone data searches do not fall under the search-incident-to-arrest exception, the First Circuit erred in imposing a blanket prohibition.

Cell phone data searches struck the First Circuit as “a convenient way for the police to obtain information related to a defendant’s crime of arrest—or other, as yet undiscovered crimes—without having to secure a warrant.”  In rendering its opinion, the court found that data contained on cell phones, such as photographs, videos, written and audio messages, contacts, calendar appointments, web search and browsing history, purchases, and financial and medical records is highly personal in nature, would previously have been stored in one’s home, and reflects private thoughts and activities.  Additionally, the court noted that certain applications, if installed on modern cell phones, provide direct access to the home by remotely connecting to a home computer’s webcam.  Given the highly personal nature of the data and the scope of the search, potentially a home search, the court found that cell phone data is categorically different from otherwise allowable categories of searches incident to arrest. 

The First Circuit rejected the government’s argument that the cell phone data search was necessary to prevent evidence from being destroyed by remote wiping before a warrant issued.  The First Circuit noted that the police have evidence preservation methods, such as removing the phone’s battery, turning off the phone, placing the phone in a device that blocks external electromagnetic radiation, or by making a mirror copy of the phone’s entire contents.  Unlike other circuits, the First Circuit viewed the “slight and truly theoretical risk of evidence destruction,” a risk that was “‘remote’ indeed,” as insufficient when weighed against the “significant privacy implications inherent in cell phone data searches.”  In its amicus brief, the Solicitor General argued that cell phone searches are more critical to preserving extractable evidence than previously allowed searches since co-conspirators could remove data remotely. 

The First Circuit also rejected the government’s argument that searches of items carried on one’s person are justified since the arrestee had a reduced expectation of privacy caused by the arrest.  This was the basis for the California Court of Appeal’s decision in Riley.  The Solicitor General tried to revive this argument in its amicus brief.  The First Circuit rejected this argument since at the time of the precedent cited, the court “could not have envisioned a world in which the vast majority of arrestees would be carrying on their person an item containing not physical evidence but a vast storage of intangible data—data that is not immediately destructible and poses no threat to the arresting officers.”   Allowing police to search such data at the time of arrest would create, in the court’s view, “a serious and recurring threat to the privacy of countless individuals.” 

In making its categorical ban on warrantless cell phone data searches under the search-incident-to-arrest exception, the First Circuit noted that the exigent circumstances exception to the Fourth Amendment warrant requirement might apply where the police have probable cause to believe that the phone contains evidence of a crime, as well as a compelling need to act quickly, that makes it impractical for them to obtain a warrant. 

 

 


Leave a comment

Borders’s Sale of Personal Information Approved by Bankruptcy Court

The Wall Street Journal reported this week that Judge Martin Glenn of the U.S. Bankruptcy Court in Manhattan approved on September 26th the $13.9 million sale of Borders’s intellectual property to Barnes & Noble. Intellectual property assets include personal information (PI) that Borders collected from 48 million customers. This PI includes customer’s email addresses, but also records of books and videos they have purchased.

The issue of the privacy rights of Border’s customers was debated during the process. At a September 22 hearing, Judge Glenn had hesitated to approve the sale over concerns about customer’s privacy. The two sides, working with the Consumer Privacy Ombudsman (CPO) appointed by the court overseeing the Borders bankruptcy, agreed to email Border’s customers within a day of the sale’s closing to ask them if they wish to opt out of Barnes & Noble’s email list. Records about specific titles bought in the past at Border’s won’t be included in the sale.

The CPO had contacted the Federal Trade Commission (FTC) requesting it to provide a written description of its concerns regarding the possible sale of the PI collected by Borders during bankruptcy proceeding.

Bureau of Consumer Protection Director David Vladeck answered in a letter to the CPO on September 14, which was submitted to the court.

Borders and Its Privacy Policies

Selling PI during bankruptcy is regulated by section 363(b) of the Bankruptcy Code, 11 U.S.C. § 363(b), which provides that:  (our emphasis)

(b) (1) The trustee, after notice and a hearing, may use, sell, or lease, other than in the ordinary course of business, property of the estate, except that if the debtor in connection with offering a product or a service discloses to an individual a policy prohibiting the transfer of personally identifiable information about individuals to persons that are not affiliated with the debtor and if such policy is in effect on the date of the commencement of the case, then the trustee may not sell or lease personally identifiable information to any person unless —

(A) such sale or such lease is consistent with such policy; or

(B) after appointment of a consumer privacy ombudsman in accordance with section 332, and after notice and a hearing, the court approves such sale or such lease —

(i) giving due consideration to the facts, circumstances, and conditions of such sale or such lease; and

(ii) finding that no showing was made that such sale or such lease would violate applicable nonbankruptcy law.

Border’s 2006 and 2007 privacy policies had promised customers that the retailer would only disclose to third parties a customer’s email address or other PI if the customer “expressly consents to such disclosure.” The 2008 privacy policy, however, stated that:

Circumstances may arise where for strategic or other business reasons, Borders decides to sell, buy, merge or otherwise reorganize its own or other businesses. Such a transaction may involve the disclosure of personal or other information to prospective or actual purchasers, or receiving it from sellers. It is Borders’ practice to seek appropriate protection for information in these types of transactions. In the event that Borders or all of its assets are acquired in such a transaction, customer information would be one of the transferred assets.”

However, Mr. Vladeck wrote that the FTC “views this provision as applying to business transactions that would allow Borders to continue operating as a going concern and not to the dissolution of the company and piecemeal sale of assets in bankruptcy” and that “[e]ven if the provision were to apply in the event of a sale or divestiture of assets through bankruptcy, Borders represented that it would “seek appropriate protection” for such information.”

Privacy Policies and Unfair Practice

Mr. Vladeck wrote that the FTC was concerned that any sale or transfer of the PI of Borders’ customers “would contravene Borders’ express promise not to disclose such information and could constitute a deceptive or unfair practice.”

Mr. Vladeck ‘s letter noted that the FTC brought cases in the past where it alleged that the failure to adhere to a privacy policy is a deceptive practice under the FTC Act. In one of these cases, FTC v. Toysmart, an online retailer had filed for bankruptcy and then tried to sell its customer’s PI. The FTC alleged that the sharing of PI in connection with an offer for sale violated section 5 of the FTC Act, as the retailer had represented in its privacy policy that such information would never be shared with third parties.

Mr. Vladeck wrote that the “Toysmart settlement is an appropriate model to apply” in the Border’s case. The FTC entered a settlement with Toysmart allowing the transfer of customer information under certain limited circumstances:

1) the buyer had to agree not to sell customer information as a standalone asset, but instead to sell it as part of a larger group of assets, including trademarks and online content;

 2) the buyer had to be an entity that concentrated its business in the family commerce market, involving the areas of education, toys, learning, home and/or instruction;

3) the buyer had to agree to treat the personal information in accordance with the terms of Toysmart’s privacy policy; and

 4) the buyer had to agree to seek affirmative consent before making any changes to the policy that affected information gathered under the Toysmart policy.

Mr. Vladeck concluded his letter by offering these guidelines:

          Borders agrees not to sell the customer information as a standalone asset;

          The buyer is engaged in substantially the same lines of business as Borders;

          The buyer expressly agrees to be bound by and adhere to the terms of Borders’ privacy policy; and

          The buyer agrees to obtain affirmative consent from consumers for any material changes to the policy that affect information collected under the Borders’ policy.”

It seems that Mr. Vladeck’ s letter had a significant impact on the ruling.  Curiously, only a small percentage of customers understand the value their PI may have for a company, even though PI may be sold as assets.